[sz4kerto]

I know a person who works in tech, is very smart, has plenty of gadgets -- he just can't take this seriously and uses a single txt file in Dropbox for all their passwords (that are all just human-generated, reused, MyRandomW0rd123-like passwords). Claims to be optimistic and thinks that they're not going to be that person who gets hacked.

[raverbashing]

And to be fair he's not that wrong

The real annoyance is that we need a "password manager" in the first place

You wouldn't need to worry (too much - as long it's not a weak password) about password reuse if websites abided by security best-practices and wouldn't leak lists of weakly hashed password. salt + pepper + good amount of rounds proper hashing function: good luck

And to be fair the browser ones work great. Another one that works great is a paper notebook

And again, it all depends on your threat models. Using very complicated passwords and 2FAing your password manager will only ensure that you'll get locked out of your accounts sooner or later (unless you have a target painted on your back for some reason)

[nicolaslem]

Strong disagree about password reuse, the average person has multiple dozens if not hundreds of accounts on various services. Even if none of them ever get hacked, you are still trusting thousands of engineers having access to production to not record the passwords that are sent to them with each login.

Just use a random password per service and keep it in a password manager.

[raverbashing]

Again, if companies didn't treat password data carelessly (or, even worse like your example) it would have been a minor issue

Yeah, I'm not advocating for password reuse, I'm saying that a good system would make it a non-issue

[RickHull]

> Again, if companies didn't treat password data carelessly

This is not a real solution. The real world is full of unreliable actors and byzantine generals. Any solution that depends on a perfect environment isn’t one.

[ncallaway]

The problem is you don’t need to get one company to behave well. You need to get every company to behave well.

It’s almost like saying “we don’t need to spend money on a court system, if we just got everyone in the country to work out their disagreements amicably”. While… true, it doesn’t sound like a plausible solution to my ear.

[raverbashing]

True. Which also means the expected reliability of a 3rd party password manager also goes down

Maybe we can just ditch passwords for most services

[lazide]

I recently did a migration, and have > 1300 passwords.

[vorpalhex]

Remember that when you create an account and log into a service, you don't know if they even hash your password. They could email all the login attempts with your password in plain text.

A good password manager and 2FA, properly setup, should not increase your risk of lock out. It should decrease it - one set of 2FA elements and one password to remember.

[ccouzens]

Hashing passwords reduces the threat from database dumps, but it doesn't help against an attacker uploading a compromised version of the app and siphoning off credentials as they're submitted.